What is concentration risk on non-EU cloud providers under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), "concentration risk" is defined as the strategic vulnerability arising from the EU's critical dependence on a limited number of cloud computing service providers controlled by third countries. As explicitly stated in Recital 46, this dependence exposes the Union to risks including the extraterritorial application of foreign laws, potential service disruption, and reduced operational autonomy. To mitigate these threats, Article 29 mandates that Member States and Union entities conduct periodic risk assessments to identify activities critical to public order and determine the necessary "Union assurance level" (Levels 2, 3, or 4) for their cloud procurement, effectively forcing a shift away from high-risk, concentrated dependencies.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, addresses a fundamental structural weakness in the European digital ecosystem: the disproportionate market share held by non-European cloud providers. While previous legislation focused on data protection or cybersecurity, CADA as proposed treats "concentration risk" not merely as a commercial market-share issue, but as a direct threat to the Union's economic security, technological sovereignty, and public order.

The Nature of Concentration Risk: Grounded in Recital 46

The legal foundation for understanding concentration risk under CADA is found in Recital 46 of the proposal. The text states that the Union "still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries."

This dependence is not passive; it creates "critical strategic dependencies and concentration risks." The Recital details three specific categories of vulnerability that arise from this concentration:

1. Extraterritorial Legal Reach: The proposal highlights that providers subject to third-country jurisdictions may be compelled by foreign laws to provide access to data stored in the EU. This creates a risk of "unauthorised access to sensitive information, technology leakage, data manipulation or exfiltration, [and] espionage." Crucially, these foreign laws may conflict with EU fundamental rights and data protection frameworks, creating a legal conflict where compliance with one jurisdiction violates the other.
2. Operational Disruption and Control: Concentration risk includes the threat of "operational discontinuity." The Recital notes that "unilateral decisions by third-country actors could disrupt service provision." This could manifest as the degradation or disruption of service quality, or the complete termination of services, undermining the continuity of essential public and private services.
3. Economic and Political Coercion: The proposal identifies risks related to "political and/or economic coercion." This includes the use of "vendor or technology lock-ins, embargos or sanctions, [and] monopoly pricing." Such tactics can damage the financial interests of the Union and Member States and, most critically, reduce the Union's "capacity to act autonomously."

The Role of Article 29: From Risk to Action

To operationalize the mitigation of these risks, Article 29 of the CADA proposal establishes a mandatory risk assessment framework. This article serves as the primary mechanism through which the abstract concept of "concentration risk" is translated into actionable procurement and operational requirements for public bodies.

Article 29(1) mandates that Member States and Union entities carry out risk assessments to:

• Identify public sector activities that use or will use cloud computing services.
• Determine which of these activities contribute to the preservation of public order. The text explicitly lists sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas of "national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."
• Determine the appropriate Union assurance level (Level 2, 3, or 4) for these identified activities.

The risk assessment is not a one-time exercise. Article 29(1) requires these assessments to be conducted by the date of entry into force plus one year, and thereafter "every two years, or whenever necessary." This periodic review ensures that the classification of activities and the associated sovereignty requirements evolve with the threat landscape and technological changes.

Assessing Sensitivity and Criticality

Article 29(2) specifies the precise factors that must be considered when assessing concentration risk. The assessment must evaluate:

• The sensitivity, criticality, and magnitude of the non-personal data processed.
• The nature, scope, context, and purpose of processing personal data, including the risk to the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

By explicitly linking the risk of unlawful access and service disruption to the choice of assurance level, Article 29 directly addresses the concentration risks outlined in Recital 46. If a risk assessment determines that a public sector activity is critical to public order, the entity must procure cloud services that meet higher sovereignty standards (Union assurance levels 2, 3, or 4). This effectively excludes providers that cannot demonstrate sufficient independence from third-country control, thereby reducing the concentration of critical infrastructure in the hands of a few non-EU entities.

Link to Procurement Obligations and Multi-Cloud Strategies

The output of the Article 29 risk assessment directly triggers procurement obligations under Article 30. While entities whose activities are not identified as contributing to public order must use services recognized at Union assurance level 1, those identified as critical must procure services recognized at levels 2, 3, or 4. This creates a market incentive for providers to meet higher sovereignty standards and reduces the concentration risk by diversifying the provider base for critical infrastructure.

Furthermore, Article 29(9) explicitly requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services. This is a direct mitigation tactic against concentration risk. By mandating the consideration of multi-cloud architectures, the proposal ensures that no single provider holds a monopoly over critical public sector data and operations, thereby enhancing resilience against service disruption or coercive measures.

Migration and Transition

Recognizing that shifting away from concentrated dependencies may require significant operational changes, Article 29(6) provides a framework for migration. If a risk assessment requires the migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period that "shall not exceed 12 months," taking into account technical feasibility, continuity of service, and data portability requirements.

What this means for you

For public-sector bodies, Union entities, and procurement officers, understanding concentration risk under CADA is essential for compliant and secure cloud procurement. The proposed regulation shifts the burden from simple technical compliance to strategic risk management.

1. Conduct Mandatory Risk Assessments: You are required to conduct a risk assessment for your organization's cloud usage. Do not treat this as a generic IT audit. Specifically evaluate the risk of third-country access and service disruption for each cloud-based activity. The assessment must be documented and reviewed every two years.
2. Map Activities to Public Order: Identify which of your activities contribute to public order (e.g., healthcare, emergency services, justice, critical infrastructure). These activities will require higher assurance levels (2, 3, or 4) and thus stricter provider vetting. If your activity falls under NIS2 Annex I or II, or involves law enforcement, it is highly likely to be classified as public order-relevant.
3. Evaluate Provider Independence: When assessing cloud providers, look beyond technical performance and price. Scrutinize their corporate structure, ownership, and jurisdiction. Under the CADA sovereignty framework, providers subject to third-country control face stricter criteria, especially for higher assurance levels. You must verify whether the provider is subject to extraterritorial laws that could compel data access or service disruption.
4. Plan for Multi-Cloud Strategies: Consider adopting a multi-cloud or multi-vendor strategy to mitigate concentration risk. Article 29(9) makes this a regulatory expectation. Diversifying your dependency reduces the impact of a single provider's failure or external coercion.
5. Prepare for Migration: If your risk assessment reveals that current cloud services do not meet the required assurance level, you must plan for migration. Article 29(6) states that migration should occur within a reasonable transition period, not exceeding 12 months. Start planning now to ensure technical feasibility and data portability.

Common misconceptions

• "Concentration risk only applies to data privacy." While data privacy is a component, concentration risk under CADA is broader. It includes operational continuity, economic coercion, and national security. A provider might comply with GDPR but still pose a concentration risk if they can be compelled by a third country to shut down services or access data for national security purposes.
• "All cloud services must be EU-only." CADA does not ban non-EU providers outright. It establishes a tiered system. Non-EU providers can qualify for Union assurance level 3 if their home country meets specific safeguards (via an implementing act under Article 18). However, for the most critical activities (level 4), third-country control is generally prohibited unless specific derogations apply.
• "Risk assessments are optional or informal." Article 29 makes risk assessments mandatory for Member States and Union entities. They must be documented, reviewed every two years, and reported to the Commission. The methodology and templates will be specified in implementing acts.
• "Multi-cloud is just a technical preference." Under CADA, considering multi-cloud strategies is a regulatory expectation for mitigating concentration risk (Article 29(9)). It is a strategic requirement for protecting public order, not just a technical best practice.
• "CADA replaces existing cybersecurity rules." CADA complements existing rules like NIS2 and the Cybersecurity Act. It does not replace them but adds a specific layer of "sovereignty" and "public order" protection that addresses the strategic risks of third-country control, which technical cybersecurity standards alone do not cover.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why does CADA treat dependence on non-EU providers as a strategic risk?
• CADA Risk Assessments: What Cloud Providers Must Know
• Can the Commission request information from cloud providers for CADA risk assessments?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• Who sets the methodology for CADA risk assessments?

This is general information about a draft EU regulation, not legal advice.